Social Sharing

Wrong label was applied to an outgoing package containing three operational files on sexual assault

The RCMP have had to refine their Access to Information process after two separate instances of personal information being leaked. (Jonathan Hayward/Canadian Press)

Someone went to the RCMP with an allegation of sexual assault — only to see their most closely-guarded private information accidentally leaked out.

The force is now apologizing after the wrong label was applied to an outgoing package containing three operational files dealing with sexual assaults.

Those files included a complainant's name, date of birth, address, medical test information, health insurance number and the sexual assault allegation statement itself, according to a copy of a report detailing the summer 2017 privacy breach.

That report, obtained by CBC News under Access to Information law, said the complainant was a member of the public, not an RCMP member.

Luckily, the RCMP were able to contact the unintended recipient and recover the leaked information.

"The RCMP manages a large volume of requests and processes thousands of pages for release every year. Occasionally, errors do occur, such as packages being misdirected to the wrong requester," said RCMP spokesperson Cpl. Caroline Duval in an email to CBC.

"The RCMP apologizes to any individuals affected by a breach."

According to the report, management spoke to the employee responsible for the breach about the "importance of verifying outgoing parcels."

After the breach, the RCMP's Access to Information section also implemented weekly training sessions focusing on best practices and started sending alerts to employees about instances of non-compliance with the access rules.

2nd case involved medical information

But those tweaks didn't stop another breach from happening just a few months later.

In February of 2018, a briefing note to the RCMP commissioner containing an employee's personal medical information was accidentally shared by email with about 140 people who "did not have a specific need-to-know," according to another privacy breach report.

Federal institutions are required to notify the Office of the Privacy Commissioner of Canada and the Treasury Board when there's been a privacy breach. (CBC)

The leaked note included the employee's name, the circumstances of an incident, medications taken and duty status, and also discussed the assistance the employee's spouse was providing.

Unlike the case of the previous leak, in this instance the RCMP didn't alert the affected party.

"The RCMP, following its assessment of this breach, determined given the nature of the briefing note and the status of the employee at that time, it was not appropriate to notify the concerned individual," said Duval.

"This incident was reported to the Office of the Privacy Commissioner and the RCMP is continuing to collaborate with their office on this matter."

After the leak, the RCMP Access to Information branch talked to the division involved in the breach about what kind of personal information it should be sharing, and referred to the situation as "outside the normal protocol."

Federal institutions are required to notify the Office of the Privacy Commissioner of Canada and the Treasury Board when there's been a privacy breach.

A spokesperson for Privacy Commissioner Daniel Therrien said the office can't comment on specific cases but added the commissioner's office has long been calling for a number of reforms to the Privacy Act — including the power to go public with government privacy issues.

Last fiscal year, Therrien's office received 286 public sector breach reports — but spokesperson Corey Larocque said the office believes "this is the tip of the iceberg."

That suspicion spurred an investigation which found that thousands of breaches happen every year across government institutions.

"The review found that thousands of breaches occur annually, and while some go unreported, others likely go entirely unnoticed at many institutions," said Larocque.

"Information technology safeguards for new systems are not always sufficient and frontline workers, in particular, don't fully grasp what constitutes personal information or their obligations."

External Links

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.